CVE-2025-61598: 
Discourse vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to have a security vulnerability (CVE-2025-61598) affecting versions before 3.6.2 and 3.6.0.beta2. The vulnerability was related to missing default Cache-Control response headers with values no-store, no-cache in error responses. This vulnerability was disclosed on October 28, 2025, and has been assigned a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

The vulnerability stems from the absence of Cache-Control response headers specifically in error responses. The issue has been assigned a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating it is network-accessible, requires low attack complexity, and has low confidentiality impact. The vulnerability is tracked as CWE-524 (Use of Cache Containing Sensitive Information) (NVD).

The missing Cache-Control headers in error responses could lead to unintended caching of those responses by proxies, potentially enabling cache poisoning attacks. This could result in sensitive information being cached and potentially exposed to unauthorized users (GitHub Advisory).

The vulnerability has been fixed in Discourse versions 3.6.2 and 3.6.0.beta2. The fix involves ensuring that all responses have the Cache-Control header set to no-cache, no-store by default, with individual controller actions having the ability to override the header when necessary (GitHub Commit).